Responsible Disclosure Policy

We ask if external parties find any sensitive information, potential vulnerabilities and/or weaknesses that they please help by disclosing it to us in a responsible manner. If you want to encrypt your disclosure email, please email us at security@98point6.com by using our PGP key below.

We request that parties do not engage in any of the following:

Attempts to modify/destroy/corrupt other users data.

Attempts to (D)DoS 98point6 products, services or applications.

Any violations of applicable law.

Accessing other user’s account details or any other user’s private information.

We may ask parties to destroy any information they hold that does not belong to them, after we have confirmed the vulnerability. This includes Protected Health Information (PHI) or Personally Identifiable Information (PII), and any other information we deem a threat to the security or privacy of our customers.

Customer Security

Since we deal with PHI and PII we require that any such information is transmitted and/or stored securely. We request that details of any PHI/PII or the disclosed vulnerability not be disclosed to any third parties or to the public to the extent legally possible.

Commitment

Reports submitted to 98point6 in good faith and pursuant to this process will result in 98point6’s commitment to the following:

We will acknowledge receipt of your vulnerability report and send you regular updates about our progress.

If your report is reproducible as an exploit and results in a change to the code base or documentation of a 98point6 product, we will – at your option – publicly acknowledge your responsible disclosure.

Any information shared with us will be kept confidential within 98point6 where permitted by law.